- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Syslog messages from the Security Gateway
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Syslog messages from the Security Gateway
Hi,
We want to receive syslog messages from the security gateway itself (not traffic related logs), for example, /var/log/messages from syslog. The issue is that, if you activate the syslog from the security gateway, the syslog messages are not in RFC compatible format, which screws the parsing on the server side.
I've been thinking about using the "send traffic to the Management Server" option and export (or view) the logs from there to the syslog server.
What is the best course of action to achieve logging to an external server? What is usually used on these situations?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The "Send Traffic to the Management Server" options puts those logs in the same place you see your traffic logs.
Those, of course, can be exported from there with Log Exporter just like the traffic logs.
However, I don't know that it changes the format of the log entries any.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Tiago,
You can configure gateways to send logs directly to syslog servers. Checkpoint supports RFC 3164 and RFC 5424. Can you share a sample of syslog messages that could not parse on the syslog server.
"Sending traffic to management server" is a good option, after enabling this you will able to see firewall traffic related logs and system messages together. I would not export it to additional syslog server, you can see both logs in management server.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Huseyin,
The issue we're having is that the messages are missing the hostname, timestamp, and syslog protocol version. This has been previously described under sk100727.
We were investigating if it was a viable option to export the logs to the management server and export them out to an external syslog and parse it there, since they are exported in CEF format and that would allow us to parse the events.
We are on R80.10 (with some install base on R77.30, to be brought to R80.10 in the next few months). We are not looking to install the hotfix described in the SK, as it will require extra maintainability, as well as introducing potentially less stable code on the chassis.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
poignant sarcasm on {
Meanwhile there is a fixed version R81 from take 34 (36), where this is inkluded. Only 12 years after the RFC has been "modernized" and 7 years after this has been mentioned in sk100727.
} poignant sarkassm off 😐